Hack 43. Lock Down KDE with Kiosk Mode

Control exactly what your users can tinker
with, and what they can't change at all.

System administrators typically
spend a lot of their time fixing trivial
problems for users who have accidentally changed their settings in
some way. When an inexperienced user moves a desktop icon into the
trash or sets a mime-type to open with the wrong program, he might be
unable to reverse his changes. Calls to the system administrator for
help are a poor use of everyone's time. It would be
better if the user had never been able to make undesirable changes.

Perhaps you just want to set up a Linux desktop for your grandmother
but she keeps changing the layout of the application toolbars without
meaning to. The new look confuses her so much that she calls you all
the time asking for help, or worse, she gives up on Linux or
computers. Wouldn't it be great if you could protect
your grandmother from herself?

For computers in a public setting such as an Internet café
or library, problems such as these turn into more than just
timewasters; they can prevent others from using the machine or cause
distress for users. Have you heard the common anecdote of the script
kiddy who has changed the background wallpaper on all the machines in
a library to pornographic photos?

5.10.1. Enter the Kiosk

KDE has traditionally been one of the most configurable desktop
environments available, but KDE 3.2.3 pushed the fold and added the
Kiosk framework, which allows for any or all of the configuration
options to be marked as unchangeable. With Kiosk you can create
profiles that are attached to users or groups of users. A profile can
define any KDE setting, but usually includes the contents of the
desktop, panel, and K Menus, as well as the choice of wallpaper,
default fonts, and widget style. You can also specify important
system settings, such as the network proxy and file associations.
Most importantly, all these options can be set to be unchangeable by
the user. This means grandma will never accidentally delete her web
browser icon, and a bored teenager can't change the
library's computer wallpaper to something that will
give grandma a heart attack.

The easiest way to set up a Kiosk profile is to use the Kiosk Admin
Tool. Some distributions include this by default or include a package
for it. If you need to, you can download the source from its web site
at http://extragear.kde.org/apps/kiosktool.php.

Start the Kiosk tool (as a normal user; there's no
need to run as root) by selecting
K-menuSystemKiosk Admin Tool, or with the
kiosktool command, and click Add New Profile. Give
this profile a name such as
"locked-down" and click OK to save.
When prompted, provide your root password to save the new profile.
Now click Manage Users and add a user policy to link a user to your
new locked-down profile. You can also add Linux user groups to the
policy. The Kiosk tool links to /etc/group,
which is where you should manage group membership. To configure a
profile, select it in the list and then click Next. The next screen
presents numerous modules, each with specific configuration options
in it. Ticking an option will lock down its corresponding feature.
The settings will be saved when you click Back.

Some of the modules offer graphical setup for their settings. For
example, under the Desktop Icons module you can load a temporary
desktop to replace your normal one. Switch to a different virtual
desktop (Ctrl-F2) if you have windows covering your background. You
can add, remove, and move any of the icons on the temporary desktop.
When you click Save in Kiosk Admin Tool, the settings for this
desktop will be saved and your normal desktop will be loaded again.
This makes configuring the setup for your Kiosk profile as easy as
configuring your own desktop.

A general breakdown of the types of settings you will find in the
most important modules follows:

General

Contains the settings that control the global properties for all KDE
programs and includes the ability to run commands, log out, or move
toolbars. Disabling Konsole removes not only its entry from the K
Menu, but also the embedded Konsoles in Konqueror and Kate.

Turns off standard menu actions such as open, print, paste, settings,
etc., from all KDE applications.

File Associations

Ensures that files can be opened only with the specified programs.

Network Proxy

Enforces the use of your web proxy. Uses a web proxy to restrict
which web sites a user can browse.

Panel

Used to lock down the panel, prevents users from adding or removing
the items you place here, and enables you to prevent panel context
menus from working.

The Kiosk framework has been used in large enterprise deployments of
KDE. Administrators report that it cuts the time taken up by user
support by half, because it reduces the number of small but
time-consuming problems users have. If you are considering using
Kiosk in a public setting you might want to make yourself familiar
with the KDE configuration file format. Browse through
/etc/kde-profile to see the settings made by the
Kiosk Admin Tool. Adding [$i] to a configuration
option, group of options, or file makes them unchangeable by users.

Kiosk is not a substitute for using Unix filesystem permissions or
other security settings. You should also make sure you set X to not
be killable with Ctrl-Alt-Backspace, and prevent users from changing
to a text console. Finally, make sure the login manager does not
allow users to log in to any other desktop environment that has not
been locked down.